single sign on - ASP.NET web application - use AzureAD for MFA / SSO for custom web applications

We currently use Azure AD across our corporate environments. We utilise SSO that signs us in to a large number of applications eg. Office 365, Devops, Freshdesk and about 30 other applications.

We have 6 internal custom web applications (all ASP.NET Webforms on .NET 4.8) that have a custom login which hits an internal endpoint which we manually authenticate against our AD server. However, we've been asked to get AzureAD to directly authenticate against so that we can use MFA.

I have been able to set this up by utilising OpenID Connect.

app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
    ClientId = clientId,
    Authority = authority,
    PostLogoutRedirectUri = postLogoutRedirectUri,
    
    Notifications = new OpenIdConnectAuthenticationNotifications()
    {
        AuthenticationFailed = (context) =>
        {
            return Task.FromResult(0);
        },

        SecurityTokenValidated = (context) =>
        {
            string name = context.AuthenticationTicket.Identity.FindFirst("name").Value;
            context.AuthenticationTicket.Identity.AddClaim(new Claim(ClaimTypes.Name, name, string.Empty));
            return Task.FromResult(0);
        }

    }
});

This sends the user to login.microsoftonline.com for logging in and MFA. The issue that we have is that this shares the same SSO as all our other apps.

What we would like is to have these 6 applications share SSO only between these 6 applications. So if we logout of 1 app all 6 apps are logged out, but we won't be logged out of other applications, i.e. Office 365 etc

I'm assuming this is possible? I've tried a number of different options such as overriding the cookie options and signing out of the cookie on signout. But I think what happens here is once you become unauthenticated you are returned to the identity provider (Azure AD) and you are still active so it immediately reauthenticates and you get a new cookie.

I've seen a suggestion here that you might need to create a whole new tenant and have the app registrations against that tenant so that the SSO is only against the applications on this tenant. This seems logical but then when I create it - it seems that you need to start paying to add the same set of users into it?

Additionally, we don't want to have to manage 2 sets of users from our whole organisation.

Is this even possible? Any help is appreciated.

edited May 2 at 3:45

marc_s

748k180 gold badges1.4k silver badges1.5k bronze badges

asked May 2 at 2:47

glenho123

5772 gold badges7 silver badges23 bronze badges

Add a comment |

Collectives™ on Stack Overflow

ASP.NET web application - use AzureAD for MFA / SSO for custom web applications

0

Browse other questions tagged
asp.net
single-sign-on
openid-connect
or ask your own question.

Hot Network Questions

Collectives™ on Stack Overflow

0

Know someone who can answer? Share a link to this question via email, Twitter, or Facebook.

Browse other questions tagged asp.netsingle-sign-onopenid-connect or ask your own question.

Browse other questions tagged
asp.net
single-sign-on
openid-connect
or ask your own question.